The protection flags for the session cookie has been added.

da010e2a · Mathias Vehus · 5ed54ee1 · da010e2a · da010e2a · da010e2a
Commit da010e2a authored Nov 10, 2021 by Mathias Vehus
--- a/.idea/runConfigurations.xml
+++ b/.idea/runConfigurations.xml
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="RunConfigurationProducerService">
-    <option name="ignoredProducers">
-      <set>
-        <option value="com.android.tools.idea.compose.preview.runconfiguration.ComposePreviewRunConfigurationProducer" />
-      </set>
-    </option>
-  </component>
-</project>
\ No newline at end of file
--- a/production.db
+++ b/production.db
--- a/src/main/java/inf226/inchat/Handler.java
+++ b/src/main/java/inf226/inchat/Handler.java
@@ -6,6 +6,8 @@ import javax.servlet.http.HttpServletResponse;
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
 import java.io.IOException;
+
+import org.eclipse.jetty.server.CookieCutter;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.handler.AbstractHandler;
@@ -137,7 +139,10 @@ public class Handler extends AbstractHandler
        final Stored<Account> account = session.value.account;
        // User is now logged in with a valid sesion.
        // We set the session cookie to keep the user logged in:
-        response.addCookie(new Cookie("session",session.identity.toString()));
+        Cookie cookie = new Cookie("session",session.identity.toString());
+        cookie.setHttpOnly(true);
+        cookie.setSecure(true);
+        response.addCookie(cookie);
        
        final PrintWriter out = response.getWriter();
        // Handle a logged in request.